b' DEPARTMENT OF HOMELAND SECURITY\n\n  Of\xef\xac\x81ce of Inspector General\n\n\n\n Inadequate Security Controls Increase Risks\n         to DHS Wireless Networks\n\n\n\n\n Of\xef\xac\x81ce of Information Technology\nOIG-04-27                     June 2004\n\x0c\x0c                                                                      Of\xef\xac\x81ce of Inspector General\n\n                                                                      U.S. Department of Homeland Security\n                                                                      Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG as part of its DHS oversight responsibility to identify and prevent fraud,\nwaste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of the program or operation under review. It\nis based on interviews with employees and of\xef\xac\x81cials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is my hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Clark Kent Ervin\n                                              Inspector General\n\x0c\x0c                                                                                                                         Contents\n\n\n  Introduction .................................................................................................................................... 3\n\n  Results in Brief .............................................................................................................................. 3\n\n  Background .................................................................................................................................... 4\n\n  Findings\xe2\x80\xa6 ..................................................................................................................................... 6\n\n       Strengthened Security Guidance Is Needed For Wireless Network Implementation .............. 6\n\n       Wireless Networks and Messaging Systems Are Vulnerable .................................................. 9\n\n       Wireless Networks Have Not Been Certi\xef\xac\x81ed and Accredited .................................................19\n\n  Recommendations ..........................................................................................................................21\n\n  Management Comments and OIG Evaluation ...............................................................................22\n\nAppendices\n\n  Appendix A:                 Purpose, Scope, and Methodology...................................................................25\n  Appendix B:                 Management\xe2\x80\x99s Response..................................................................................27\n  Appendix C:                 Wireless Technology Standards and Functionality ..........................................33\n  Appendix D:                 DHS Wireless Capabilities ...............................................................................34\n  Appendix E:                 Report Distribution ..........................................................................................35\n  Appendix F:                 Major Contributors to the Report.....................................................................36\n\n\nAbbreviations\n\n  802.11x                     Wireless Fidelity: 802.11a, 802.11b, and 802.11g\n  CBP                         Bureau of Customs and Border Protection\n  CIS                         Bureau of Citizenship and Immigration Services\n  ICE                         Bureau of Immigration and Customs Enforcement\n  CIO                         Chief Information Of\xef\xac\x81cer\n  C&A                         Certi\xef\xac\x81cation and Accreditation\n\n\n\n                    Inadequate Security Controls Increase Risks to DHS Wireless Networks                                                         Page 1\n\x0cContents\n\n   DHS        Department of Homeland Security\n   DMZ        Demilitarized Zone\n   EP&R       Emergency Preparedness and Response\n   FISMA      Federal Information Security Management Act\n   Handbook   The DHS IT Security Program Handbook for Sensitive Systems\n   IDS        Intrusion Detection System\n   IrDA       Infrared\n   ISSO       Information System Security Of\xef\xac\x81cers\n   IT         Information Technology\n   MAC        Media Access Control\n   MD         Management Directive\n   NIST       National Institute of Standards and Technology\n   OIG        Of\xef\xac\x81ce of Inspector General\n   OMB        Of\xef\xac\x81ce of Management and Budget\n   PDA        Personal Digital Assistant\n   SP         Special Publication\n   SSID       Service Set Identi\xef\xac\x81er\n   TSA        Transportation Security Administration\n   USCG       United States Coast Guard\n   USSS       United States Secret Service\n   WEP        Wired Equivalent Privacy\n\n\n\n\nPage 2               Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0cOIG\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                                   The Of\xef\xac\x81ce of Inspector General (OIG) evaluated whether Department of\n                                   Homeland Security (DHS) and its components1 have implemented adequate\n                                   security controls to protect data transmitted on wireless networks and devices.\n                                   This audit included an evaluation of the security policies and procedures for the\n                                   administration, con\xef\xac\x81guration, and use of sensitive but unclassi\xef\xac\x81ed DHS wireless\n                                   networks.\n\n                                   The objective was to determine whether DHS developed adequate security\n                                   policies, established oversight procedures, and implemented suf\xef\xac\x81cient security\n                                   measures to ensure that wireless networks and devices are secure. Work was\n                                   conducted at DHS\xe2\x80\x99 Of\xef\xac\x81ce of the Chief Information Of\xef\xac\x81cer (CIO) and selected\n                                   components. Fieldwork was performed at DHS facilities from October 2003\n                                   through January 2004. See Appendix A for a discussion of our purpose, scope, and\n                                   methodology.\n\n    Results in Brief\n                                   DHS has not provided suf\xef\xac\x81cient guidance to its components or established\n                                   adequate controls necessary to implement its wireless program. Speci\xef\xac\x81cally:\n                                   (1) wireless policy is incomplete, (2) procedures do not establish a sound baseline\n                                   for wireless security implementation, and (3) the National Wireless Management\n                                   Of\xef\xac\x81ce is not exercising its full responsibilities in addressing DHS\xe2\x80\x99 wireless\n                                   technologies. Further, DHS has not established adequate security measures to\n                                   protect its wireless networks and devices against security risks. Finally, although\n                                   the DHS security policy requires certi\xef\xac\x81cation and accreditation (C&A) for its\n                                   systems to operate, none of the wireless systems reviewed had been certi\xef\xac\x81ed or\n                                   accredited. As a result of these wireless network exposures, DHS cannot ensure\n                                   that the sensitive information processed by its wireless systems are effectively\n                                   protected from unauthorized accesses and potential misuse.\n\n\n\n    1\n        DHS components are de\xef\xac\x81ned as Directorates (including organizational elements and bureaus) and critical agencies.\n\n\n\n                           Inadequate Security Controls Increase Risks to DHS Wireless Networks                            Page 3\n\x0c             Our report includes \xef\xac\x81ve recommendations that will assist DHS in remedying the\n             de\xef\xac\x81ciencies that we identi\xef\xac\x81ed. Speci\xef\xac\x81cally, the DHS CIO should:\n\n                 \xe2\x80\xa2   De\xef\xac\x81ne the conditions and limitations for using wireless technologies in\n                     the DHS security policy.\n\n                 \xe2\x80\xa2   Update the DHS Information Technology (IT) Security Program\n                     Handbook for Sensitive Systems (Handbook) to include implementation\n                     procedures required by National Institute of Standards and\n                     Technology (NIST) Special Publication (SP) 800-48 for the use of\n                     wireless technologies.\n\n                 \xe2\x80\xa2   Require the National Wireless Management Of\xef\xac\x81ce (WMO) to provide\n                     the necessary oversight and guidance to align components\xe2\x80\x99 wireless\n                     programs with DHS\xe2\x80\x99 wireless goals.\n\n                 \xe2\x80\xa2   Implement a standardized con\xef\xac\x81guration for wireless technologies on\n                     DHS networks.\n\n                 \xe2\x80\xa2   Complete a C&A for each DHS system.\n\n             In response to our draft report, the DHS CIO agreed and has already taken steps\n             to implement each of the above recommendations. However, the DHS CIO\n             disagreed that the National Wireless Management Of\xef\xac\x81ce is not exercising its full\n             responsibilities. Based on our assessment of the CIO\xe2\x80\x99s response, we continue\n             to maintain our conclusion that oversight by the WMO of wireless functionality\n             within DHS needs to be improved. DHS\xe2\x80\x99 response is summarized and evaluated\n             in the body of this report and included, in its entirety, as Appendix B.\n\nBackground\n             Wireless technologies can enhance the productivity of DHS employees.\n             Enhanced functionality and increases in the number and types of available\n             applications have dramatically increased the use and usefulness of wireless\n             devices. Wireless devices have addressed user requirements for immediate\n             communication, service, and greater productivity. In the past \xef\xac\x81ve years, there has\n             been a dramatic evolution in wireless technologies, standards, and implementation\n             practice. These changes may expose sensitive information systems to security\n             vulnerabilities.\n\n\n\n\nPage 4               Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                              The use of wireless technology has introduced new security risks to a wired\n                              network, such as unauthorized access to data through eavesdropping2 or theft.\n                              Highly portable, handheld wireless devices, such as personal digital assistants3\n                              (PDA) and wireless messaging devices, can contain sensitive information that is\n                              easily retrievable, especially if the device is lost or stolen. Eavesdropping can\n                              result in a hacker gaining unauthorized access to DHS\xe2\x80\x99 wired network. Further,\n                              the \xef\xac\x82exibility and portability of wireless technology and devices increases the\n                              need for security. One concern is data interception. Hackers can intercept radio\n                              signals by eavesdropping on the transmission, possibly compromising sensitive\n                              data stored on laptop computers, PDAs, and other wireless handheld devices.\n                              The introduction of these vulnerabilities increases the need to develop adequate\n                              policies and procedures and to implement strong security controls to mitigate risks\n                              associated with wireless devices and networks.\n\n                              The most common communication standards used by wireless devices are:\n\n                                   1) 802.11x4\n\n                                   2) Bluetooth\n\n                                   3) Infrared (IrDA)\n\n                              The 802.11x devices form a wireless local area network by connecting through\n                              an access point or to other 802.11x devices. Today, most laptop computers are\n                              equipped with 802.11x chipsets and IrDA ports, which give these devices wireless\n                              functionality. Recently, projectors have included the capability to use the 802.11x\n                              wireless technology communication standard. \xe2\x80\x9cBluetooth\xe2\x80\x9d is primarily used on\n                              handheld devices such as PDAs. Some new generation printers come with IrDA\n                              ports, 802.11x, and Bluetooth chipsets already built-in. See Appendix C for more\n                              information on wireless technology standards and functionality.\n\n                              The tragic events of September 11, 2001, underscored the need for critical\n                              personnel and senior management to have the capability to communicate sensitive\n                              information and management decisions securely during emergencies. On this\n                              date, excessive call volume overburdened the cellular telephone system, but\n\n2\n  \xe2\x80\x9cEavesdropping\xe2\x80\x9d is the operation of capturing data by an unintended party; in addition to invasion of privacy, it may also lead to other\nattacks such as impersonation, session hijacking, packet spoo\xef\xac\x81ng, and internet sharing by unauthorized parties.\n3\n  A handheld computer that stores and organizes personal information. Data is synchronized between a user\xe2\x80\x99s PDA and desktop computer\nby cable or wireless transmission.\n4\n  The Institute of Electrical and Electronics Engineers 802.11 standards, such as 802.11a, 802.11b, and 802.11g; and implies Wireless\nFidelity or Wireless Local Area Network.\n\n\n                     Inadequate Security Controls Increase Risks to DHS Wireless Networks                                          Page 5\n\x0c                               the Blackberry\xc2\xae communication services were able to function. DHS uses\n                               Blackberry\xc2\xae devices as its primary wireless messaging service.\n\n                               The Federal Information Security Management Act (FISMA) of 2002, Title III,\n                               E-Government Act of 2002, P.L. 107-347, December 17, 2002, requires each\n                               agency to develop, document, and implement an agency-wide information\n                               security program, to provide security for the information and information systems,\n                               including wireless systems, that support the operations and assets of the agency.\n                               Policies should ensure that information security is addressed throughout the life\n                               cycle of each agency information system and determine minimally acceptable\n                               system con\xef\xac\x81guration requirements.\n\nFindings\n\n            Strengthened Security Guidance Is Needed For Wireless Network\n            Implementation\n                               DHS has not provided suf\xef\xac\x81cient guidance on wireless implementation to its\n                               components. Speci\xef\xac\x81cally: (1) wireless policy is incomplete and remains in draft;\n                               (2) implementation procedures do not establish a sound baseline for wireless\n                               security; and, (3) the National Wireless Management Of\xef\xac\x81ce is not exercising\n                               its full responsibilities in overseeing DHS\xe2\x80\x99 wireless technologies. As a result,\n                               the lack of adequate guidance has diminished the effectiveness of controls\n                               implemented to protect DHS networks.\n\n                               DHS Wireless Policy Is Incomplete\n\n                               Although DHS established an Information Technology Security Program policy,\n                               Management Directive (MD) 4300A, to include wireless communication\n                               technologies and devices, it does not cover Bluetooth technology and remains\n                               in draft.5 Without speci\xef\xac\x81c policy, IT security managers are less likely to address\n                               the risks associated with the use of Bluetooth technology which is designed to\n                               connect disparate devices to form an ad hoc network. Further, components have\n                               not established their own IT security policies including wireless technology.\n\n                               When drafting its wireless communications policy, DHS of\xef\xac\x81cials omitted\n                               Bluetooth technology, because they concluded that it did not pose a signi\xef\xac\x81cant\n\n5\n    At the time of our review, MD 4300A was in draft; however, as of February 9, 2004, this MD was formally issued.\n\n\n\n\nPage 6                                     Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                               risk. However, other federal and wireless industry authorities have issued security\n                               notices on Bluetooth vulnerabilities. As Bluetooth functionality is added to more\n                               devices and continues to gain widespread use, DHS must address the security\n                               vulnerabilities associated with the use of Bluetooth technology. Many devices\n                               such as laptop computers, cellular phones, printers, PDAs, cameras, and other\n                               peripheral devices have Bluetooth technology built-in.\n\n                               DHS and its components share the responsibility for developing, implementing,\n                               and managing their wireless communications. While the DHS Of\xef\xac\x81ce of the\n                               CIO is responsible for the oversight and management of its wireless program,\n                               the components, using the DHS IT security policy as a baseline, were required\n                               to develop their own IT security policies, standards, and guidelines to include\n                               wireless activities. MD 4300A required each component to provide draft\n                               directives and procedures to the DHS Chief Information Security Of\xef\xac\x81cer by\n                               November 30, 2003. Only three of the eight components covered in our review\n                               - Emergency Preparedness and Response (EP&R), Transportation Security\n                               Administration (TSA), and United States Coast Guard (USCG) - prepared draft\n                               security policies for wireless technology. Although these policies have been\n                               drafted, they do not include all of the requirements contained in the DHS security\n                               policy or the NIST SP 800-48. The remaining \xef\xac\x81ve components lacked policies to\n                               address wireless communications.\n\n                               Implementation Procedures Can Be Improved\n\n                               The DHS Handbook6 does not include many of the required controls for 802.11x\n                               and wireless messaging systems as prescribed by NIST SP 800-48. Further, the\n                               handbook does not de\xef\xac\x81ne the necessary security controls for the implementation\n                               and use of Bluetooth technology. Consequently, components may lack suf\xef\xac\x81cient\n                               guidance to implement effective security controls for wireless networks and\n                               devices.\n\n                               The purpose of the DHS Handbook is to provide procedures for implementing the\n                               requirements of the DHS IT Security Program. To support the security of wireless\n                               technology, the handbook refers to various NIST publications. The NIST SP 800-\n                               48, Wireless Network Security, provides security guidelines and procedures\n                               for 802.11x, Bluetooth, and handheld devices. The handbook did not include\n                               any reference on the use of Bluetooth technology. As a result, critical security\n                               management practices and controls for maintaining and operating a secure\n\n6\n    Version 1.4, dated December 16, 2003.\n\n\n\n                       Inadequate Security Controls Increase Risks to DHS Wireless Networks                Page 7\n\x0c                             wireless network, recommended by NIST SP 800-48, were not incorporated into\n                             the handbook, including:\n\n                                  \xe2\x80\xa2     De\xef\xac\x81nitions of the approved uses of wireless networks.\n\n                                  \xe2\x80\xa2     Standards for hardware and software con\xef\xac\x81gurations for portable\n                                        electronic devices.\n\n                                  \xe2\x80\xa2     Conditions and limitations for handheld devices, such as authorized\n                                        locations or the use of public \xe2\x80\x9chot spots.\xe2\x80\x9d\n\n                                  \xe2\x80\xa2     Requirements for reporting and deactivating lost or stolen laptops and\n                                        handheld devices and disposing of wireless devices.\n\n                                  \xe2\x80\xa2     Criteria for the use of handheld device features such as wireless radio\n                                        frequency transmission, peer-to-peer7 communication, and Internet\n                                        connectivity.\n\n                                  \xe2\x80\xa2     Requirements to monitor the wireless industry for the release of new\n                                        products with improved security or changes in wireless standards\n                                        affecting security.\n\n                                  \xe2\x80\xa2     Requirements to review security alerts and advisories relevant to wireless\n                                        technology to identify vulnerabilities applicable to the DHS environment.\n\n                             The National Wireless Management Of\xef\xac\x81ce Is Not Exercising Its\n                             Full Responsibilities\n\n                             The National Wireless Management Of\xef\xac\x81ce currently does not oversee all\n                             DHS wireless functionality. The of\xef\xac\x81ce was created on March 25, 2003, by\n                             MD 4100.1, to oversee all wireless technology and establish wireless goals to\n                             improve homeland security, reduce technology costs, and ensure interoperability\n                             of systems. Although the National Wireless Management Of\xef\xac\x81ce was to\n                             coordinate and develop policy and strategy for all DHS wireless technologies,\n                             at present, its primary focus is on land mobile radio systems. The National\n                             Wireless Management Of\xef\xac\x81ce does not provide current oversight of wireless\n                             implementation within DHS. The National Wireless Management Of\xef\xac\x81ce is\n\n\n7\n Peer-to-peer messages are sent from handheld to handheld across the wireless network. The peer-to-peer messages do not pass through a\nmail server.\n\n\nPage 8                                  Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                              focused only on radio infrastructure because current DHS priorities and funding\n                              are directed toward management of land mobile radio systems.\n\n                              Sound guidance is the \xef\xac\x81rst step in implementing a secure information system.\n                              Incomplete wireless policy, the issuance of weak implementation guidance, and\n                              inadequate management oversight may result in sensitive data that cannot be\n                              effectively protected. Without adequate controls and implementation procedures\n                              for all wireless technologies, malicious users may gain unauthorized access to\n                              a network and its data. Establishing and enforcing compliance with a security\n                              policy that includes Bluetooth will help mitigate the inherent security risks.\n                              Furthermore, wireless networks operating without required security management\n                              practices and procedures increase the risk that security controls protecting DHS\n                              networks can be circumvented. Finally, components that implement wireless\n                              systems without speci\xef\xac\x81c requirements and guidelines may not align with DHS\n                              wireless goals.\n\n     Wireless Networks and Messaging Systems Are Vulnerable\n\n                              DHS has not established adequate security controls to protect its wireless\n                              networks and devices against commonly known security vulnerabilities. To\n                              assess the security of wireless within DHS we: (1) used a handheld wireless\n                              network scanner to detect rogue8 802.11b devices and evaluate the coverage\n                              of the wireless signals broadcast by the access points; (2) used a Bluetooth\n                              transceiver to detect the presence of Bluetooth signals; and (3) reviewed security\n                              con\xef\xac\x81gurations on wireless messaging servers and sampled wireless messaging\n                              devices to evaluate the effectiveness of the implemented controls. In assessing\n                              the effectiveness of controls implemented on DHS wireless networks and devices,\n                              we identi\xef\xac\x81ed several vulnerabilities regarding 802.11x wireless networks and\n                              devices, Bluetooth devices, and wireless messaging systems.\n\n                              DHS\xe2\x80\x99 Wireless Networks Are Susceptible To Monitoring And Eavesdropping\n\n                              The security controls implemented on DHS\xe2\x80\x99 802.11x wireless networks do\n                              not protect against unauthorized access to sensitive data maintained on DHS\n                              networks. The DHS components have employed 802.11x technology without\n                              effective con\xef\xac\x81guration standards and implementation guidance. Wireless\n                              networks operating without a standard wireless con\xef\xac\x81guration or adequate\n\n\n8\n A \xe2\x80\x9crogue\xe2\x80\x9d access point is one that is accessible to an organization\xe2\x80\x99s employees, but is not managed as a part of the approved network.\nMost rogue access points are installed by employees and not managed by IT administrators.\n\n\n                     Inadequate Security Controls Increase Risks to DHS Wireless Networks                                          Page 9\n\x0c                               controls increases the risk that security controls protecting DHS networks can be\n                               circumvented.\n\n                               The 802.11x transmission standard is the most widely installed wireless network\n                               technology industry-wide, but many users are unaware of its vulnerabilities.\n                               According to industry experts, while some measures are in place to improve\n                               security, users or the provider of wireless transmission sites usually neglect these\n                               controls.\n\n                               In October 2003, we requested that DHS components identify their use of\n                               wireless technology. As illustrated in Appendix D, four components - Bureau of\n                               Citizenship and Immigration Services (CIS), EP&R, TSA, and USCG - said that\n                               they were using 802.11x wireless technology. In addition to the four components\n                               reporting the use of 802.11x technology, we conducted scans at other selected\n                               components: the Bureau of Customs and Border Protection (CBP), DHS\n                               Management, and the United States Secret Service (USSS).\n\n                               We performed random 802.11b detection scans at ten different facilities to\n                               identify rogue wireless devices, verify signal coverage for access points, and\n                               review con\xef\xac\x81guration settings to evaluate security controls. The four components\n                               which reported use of 802.11x technology do not monitor wireless activity and\n                               do not have a set schedule to review access point logs to identify unauthorized\n                               login attempts or to determine whether rogue devices had been introduced into the\n                               network. In addition, during our onsite scans, namely of these four components,\n                               we found several 802.11x security vulnerabilities:\n\n                                     \xe2\x80\xa2     There was no Demilitarized Zone9 (DMZ) to separate a wireless network\n                                           from the wired network at a CIS facility.10 A wireless network was\n                                           connected directly to a wired network at the facility. In addition, the\n                                           local administrator was not aware of the need to establish a DMZ to\n                                           separate wireless traf\xef\xac\x81c from the wired network.\n\n                                     \xe2\x80\xa2     For each component using 802.11x technology, there are no intrusion\n                                           detection systems11 (IDS) installed to monitor wireless activity. IDS\n                                           can be con\xef\xac\x81gured to send a noti\xef\xac\x81cation to system administrators to\n\n9\n  A \xe2\x80\x9cDMZ\xe2\x80\x9d is typically a safe area protected by two perimeter \xef\xac\x81rewalls that ensures that users and network traf\xef\xac\x81c do not transverse the two\nnetworks without proper authentication and authorization.\n10\n   Although this is a CIS facility, the site is connected to ICE network infrastructure. In addition to adopting ICE\xe2\x80\x99s security policies at this\nfacility, ICE personnel provide network support to the facility too.\n11\n   An IDS is an effective tool for determining whether unauthorized users are attempting to access, have already accessed, or have\ncompromised the network.\n\n\nPage 10                                    Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                        take immediate action and eliminate threats or minimize damage from\n                                        unauthorized access.\n\n                                  \xe2\x80\xa2     We identi\xef\xac\x81ed two rogue wireless access points at a USCG facility.\n                                        USCG of\xef\xac\x81cials told us that they had not performed periodic scans, but\n                                        they plan to do so once they purchase an 802.11x scanner. Without\n                                        periodic scans, a malicious or irresponsible user can conceal a rogue\n                                        device in a closet, under a conference room table, or any hidden area\n                                        within a building. The rogue device can then be used to intercept\n                                        traf\xef\xac\x81c between an authorized wireless access point and clients, or allow\n                                        malicious users unauthorized access to the network. Introducing rogue\n                                        devices to a network creates signi\xef\xac\x81cant security vulnerabilities, which\n                                        bypass security controls and opens a back door to malicious users.\n\n                                  \xe2\x80\xa2     During our scans, we detected DHS wireless signals broadcasting beyond\n                                        the physical boundaries, i.e., perimeter walls, at CIS, EP&R, and USCG\n                                        facilities. Although EP&R and USCG facilities are located within\n                                        secured compounds, these wireless signals create security vulnerabilities,\n                                        such as eavesdropping and denial of service12 attacks. For example, at\n                                        the CIS Service Center, we detected wireless signals emanating from\n                                        the facility in the parking lot, on public roads behind the facility, and the\n                                        surrounding residences.\n\n\n\n\n12\n  Denial of service is a form of attacking another computer or company by sending millions or more requests every second causing the\nnetwork to slow down, cause errors, or shut down.\n\n\n                     Inadequate Security Controls Increase Risks to DHS Wireless Networks                                      Page 11\n\x0c              The following diagram illustrates DHS signals broadcasting beyond the\n              facility\xe2\x80\x99s physical boundaries.\n                                                Chart 1\n\n\n\n\n              The local CIS administrators said that the DHS signals were detected from\n              outside the facility because wireless access points had been repositioned\n              to the back of the building during a recent expansion. The network\n              administrators did not perform a signal coverage test to determine the\n              proper placement of the access points or to ensure that wireless signals\n              were restricted to the DHS facility.\n\n          \xe2\x80\xa2   We detected non-DHS wireless signals within CIS and CBP facilities.\n              These signals can be used to monitor or gain unauthorized access to DHS\n              wireless networks and sensitive data or to launch denial of service attacks.\n              For example, from within a CIS Service Center facility we detected\n              signals from surrounding residences and businesses.\n\n\nPage 12        Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                The following diagram illustrates non-DHS signals broadcasting within\n                the facility\xe2\x80\x99s physical boundaries.\n                                          Chart 2\n\n\n\n\n       The DHS Handbook speci\xef\xac\x81es that maintaining a secure wireless network is an\n       ongoing process that requires greater effort than that required for other networks\n       and systems. In addition, NIST SP 800-48, Wireless Network Security, requires\n       that agencies should assess risks more frequently, as well as test and evaluate\n       system security controls when wireless technologies are deployed.\n\n       None of the four components using 802.11x technology had applied DHS\xe2\x80\x99\n       minimal security requirements to protect their wireless networks. We discovered\n       that the following controls, required by the DHS Handbook and NIST, were not\n       implemented at one or more sites visited:\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks               Page 13\n\x0c                                   \xe2\x80\xa2     Site surveys to place wireless assess points strategically to minimize the\n                                         risks of eavesdropping from unauthorized users.\n\n                                   \xe2\x80\xa2     Security tests to evaluate the effectiveness of wireless controls according\n                                         to the requirements outlined in the NIST SP 800-48.\n\n                                   \xe2\x80\xa2     Periodic scans for rogue devices to ensure that unauthorized devices are\n                                         not introduced to the network.\n\n                                   \xe2\x80\xa2     Installation of boundary protection devices, such as \xef\xac\x81rewalls and IDS, to\n                                         separate wired and wireless networks.\n\n                                   \xe2\x80\xa2     Changing the default Wired Equivalent Privacy13 (WEP) keys to make\n                                         them dif\xef\xac\x81cult to guess and to minimize unauthorized login attempts.\n\n                                   \xe2\x80\xa2     Enabling 128-bit encryption14 on WEP keys and using robust passwords\n                                         to increase the level of encryption on the assess points and to minimize\n                                         the threats from unauthorized access.\n\n                                   \xe2\x80\xa2     Enabling Media Access Control15 (MAC) \xef\xac\x81ltering to limit access to\n                                         legitimate wireless devices.\n\n                                   \xe2\x80\xa2     Disabling the broadcast of the Service Set Identi\xef\xac\x81er16 (SSID) so that this\n                                         access point identi\xef\xac\x81er is not readily available to the general public.\n\n                                   \xe2\x80\xa2     Adopting a \xe2\x80\x9cdefense in depth\xe2\x80\x9d17 approach, which promotes the\n                                         application of multiple layers of available security to secure all aspects\n                                         of a network. In addition, network administrators should receive\n                                         specialized training on protecting wireless networks.\n\n13\n   \xe2\x80\x9cWEP\xe2\x80\x9d is a system security protocol (encryption process) speci\xef\xac\x81ed in the Institute of Electrical and Electronics Engineers 802.11\nstandards that is designed to provide a wireless local area network with a level of security and privacy comparable to what is usually\nexpected of a wired local area network.\n14\n   \xe2\x80\x9cEncryption\xe2\x80\x9d is the conversion of data into a form that cannot be easily understood by unauthorized people. Accordingly, 128-bit\nencryption is a strong, industry standard method of securing data transmissions.\n15\n   MAC \xef\xac\x81ltering provides capabilities for restricting access to the wireless local area network based on MAC access control lists that\nare stored and distributed across many access points. The MAC access control list grants or denies access to a computer using a list of\npermissions designated by MAC address.\n16\n   The SSID is a con\xef\xac\x81gurable identi\xef\xac\x81cation that allows clients to communicate to the appropriate base station. With proper con\xef\xac\x81guration,\nonly clients that are con\xef\xac\x81gured with the same SSID can communicate with base stations having the same SSID. From a security point of\nview, the SSID acts as a simple single shared password between base stations and clients.\n17\n   \xe2\x80\x9cDefense in depth\xe2\x80\x9d is the concept of protecting a computer network with a series of defensive mechanisms, e.g., if one mechanism fails,\nanother will already be in place to thwart an attack.\n\n\n\nPage 14                                  Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c       Further, of the eight components reviewed, only the USSS had performed 802.11x\n       scans within its facilities. The USSS is currently not using 802.11x technology,\n       but scans for rogue access points as part of its security program requirements.\n\n       These weaknesses occurred because, prior to transitioning to DHS, components\n       had already implemented their wireless networks under legacy agencies\xe2\x80\x99 security\n       con\xef\xac\x81gurations. Wireless controls implemented at the components reviewed were\n       not effective to protect against unauthorized access. Further, there is a lack of\n       awareness among the administrators of the need to implement additional security\n       controls to protect wireless networks.\n\n       Because strong controls are not implemented on all of its wireless networks,\n       DHS lacks the ability to prevent unauthorized users from connecting to its\n       networks or to ensure that only legitimate users can access the network resources.\n       Without performing site surveys, DHS cannot ensure that its wireless signals\n       are broadcast only to the intended area and users. Further, when components\n       do not apply NIST\xe2\x80\x99s minimal security requirements, DHS does not have\n       assurance that its wireless networks are properly con\xef\xac\x81gured and protected against\n       malicious activities. Finally, wireless networks operating without a standardized\n       con\xef\xac\x81guration increase the risk that security controls protecting DHS networks can\n       be circumvented.\n\n       Bluetooth Devices Can Be Exploited\n\n       Although DHS\xe2\x80\x99 policy does not address the use of Bluetooth technology, we\n       identi\xef\xac\x81ed Bluetooth enabled devices at three of ten components (CIS, USCG, and\n       USSS) scanned. Because end users may not be aware of Bluetooth technology\n       embedded in their devices, equipment can be connected to a network that\n       introduces the security vulnerabilities associated with Bluetooth technology.\n\n       Bluetooth technology is built into various technological devices such as\n       headphones, keyboards, digital cameras, printers, projectors, cellular phones,\n       laptop computers, and PDAs - often unknown to the end user. During our scans,\n       we determined that Bluetooth had been enabled on:\n\n           \xe2\x80\xa2    Three laptop computers at a USSS facility. One of these laptop computers\n                was connected to the network, potentially allowing back door access to the\n                network. Neither the user nor security personnel was aware that Bluetooth\n                capability was enabled on the laptop computer. The local administrator\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks              Page 15\n\x0c                  told us that his of\xef\xac\x81ce performed random scans for 802.11x devices but not\n                  for Bluetooth devices.\n             \xe2\x80\xa2    Cellular phones at three separate DHS facilities. Although the risk is low,\n                  a malicious user can use a Bluetooth enabled cellular phone as a bugging\n                  device.\n\n          Without policy or procedures to address Bluetooth technology, there is no\n          requirement to test all electronic devices for Bluetooth technology prior to\n          installing any new equipment in a facility or for performing periodic scans for\n          Bluetooth devices.\n\n          The NIST SP 800-48 recommends the following controls to protect Bluetooth\n          devices:\n\n              \xe2\x80\xa2    De\xef\xac\x81ne the approved uses for Bluetooth devices.\n\n              \xe2\x80\xa2    Prohibit the use of Bluetooth enabled devices in a classi\xef\xac\x81ed environment.\n\n              \xe2\x80\xa2    Provide users with training as to the vulnerabilities associated with the\n                   use of Bluetooth technology.\n\n              \xe2\x80\xa2    Enable device authentication as an extra level of security.\n\n              \xe2\x80\xa2    Enable encryption to encrypt all traf\xef\xac\x81c between devices.\n\n              \xe2\x80\xa2    Enable the device password protection feature.\n\n          As Bluetooth continues to gain popularity, DHS must address the security\n          vulnerabilities associated with the use of this technology. Establishing guidelines\n          on servers and devices along with enforcing compliance with security policies\n          can help mitigate the inherent Bluetooth security risks. When Bluetooth\n          vulnerabilities are not addressed, malicious users may gain unauthorized access to\n          a network and its data or launch denial of service attacks.\n\n          Wireless Messaging Systems Need More Stringent Controls\n\n          DHS has not established adequate security controls to enforce device level\n          management from the server. Consequently, users may disable security\n          con\xef\xac\x81guration settings on their handheld devices. Without stringent controls, DHS\n\n\n\nPage 16            Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c       cannot ensure that the sensitive messages processed by its wireless messaging\n       systems are protected from unauthorized accesses and potential misuse.\n\n       We identi\xef\xac\x81ed \xef\xac\x81ve components using wireless messaging systems. The CBP,\n       Bureau of Immigration and Customs Enforcement (ICE), DHS Management,\n       and EP&R utilized the Blackberry\xc2\xae Enterprise Server software, while the USCG\n       employed GoodLink\xe2\x84\xa2 Server software. To assess the controls over DHS\xe2\x80\x99\n       wireless messaging systems, we randomly sampled wireless devices and reviewed\n       the security con\xef\xac\x81guration settings on the applicable servers.\n\n       Only EP&R was using an updated version of Blackberry\xc2\xae software, allowing\n       security controls to be centrally managed from the server. When applied, the\n       server\xe2\x80\x99s security settings propagate down and become mandatory for all handheld\n       devices.\n\n       DHS Management was using a current version of Blackberry\xc2\xae software, but\n       had not implemented required device controls at the server. The CBP and ICE\n       employed an older version of Blackberry\xc2\xae software, which did not permit device\n       level management from the server. The CBP and ICE Blackberry\xc2\xae servers\n       were con\xef\xac\x81gured with weak security settings and did not enforce recommended\n       security controls. Thus, the users could adjust security settings on the device.\n       Speci\xef\xac\x81cally, we determined that:\n\n            \xe2\x80\xa2    Password protection was not enabled for individual devices.\n\n            \xe2\x80\xa2    Criteria for password aging and composition were not set at the server,\n                 allowing users to create \xe2\x80\x9cweak\xe2\x80\x9d passwords on the devices.\n\n            \xe2\x80\xa2    Weak encryption was enabled on handheld devices, instead of the\n                 recommended strong encryption. Use of weak encryption allows an\n                 attacker to easily bypass password protection on a device to gain access\n                 to its sensitive contents.\n\n            \xe2\x80\xa2    The Peer-to-Peer feature was not disabled. Wireless messages sent and\n                 received between devices are unencrypted, thereby circumventing the\n                 Blackberry\xc2\xae software encryption.\n\n            \xe2\x80\xa2    The Internet browsing feature was enabled on handheld devices.\n                 Handheld devices that have Internet browsing capability can be\n                 susceptible to virus infection and malicious attacks.\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks               Page 17\n\x0c                                  \xe2\x80\xa2     The feature to automatically erase the data from the handheld device after\n                                        a number of unsuccessful logon attempts was not enabled.\n\n                            The USCG is the only component that uses a GoodLink\xe2\x84\xa2 wireless messaging\n                            system. The current version of software on the Goodlink\xe2\x84\xa2 software permits only\n                            limited device level management. Password and device timeout features that\n                            protect the device from unauthorized use were enabled through the GoodLink\xe2\x84\xa2\n                            desktop software installed on the users\xe2\x80\x99 computers; however, users may modify\n                            the controls of the desktop software.\n\n                            The USCG had enabled 128-bit encryption on the GoodLink\xe2\x84\xa2 server and on all\n                            handheld devices. Further, Peer-to-Peer and Internet browsing features are not\n                            available options for GoodLink\xe2\x84\xa2 devices. Therefore, this limited functionality\n                            does not pose serious vulnerabilities.\n\n                            Best practices, as presented by the Defense Information Systems Agency18 and\n                            SANS19, recommend the following controls to secure wireless messaging systems\n                            and devices:\n\n                                  \xe2\x80\xa2     Enable password protection and time-out features.\n\n                                  \xe2\x80\xa2     Use strong passwords and encryption.\n\n                                  \xe2\x80\xa2     Disable the Peer-to-Peer feature between devices.\n\n                                  \xe2\x80\xa2     Disable Internet browsing.\n\n                                  \xe2\x80\xa2     Enable the feature to automatically erase all data from the handheld\n                                        device after a number of unsuccessful logon attempts in the event the\n                                        device is loss or stolen.\n\n                            Without more stringent controls, DHS cannot ensure that the sensitive messages\n                            processed by its wireless messaging systems are protected effectively from\n                            unauthorized accesses and potential misuse.\n\n\n\n\n18\n  Wireless Security Technical Implementation Guide, Version 1, Release 4, dated January 9, 2003.\n19\n  SANS is a leader in information security research, certi\xef\xac\x81cation, and education. The SANS (SysAdmin, Audit, Network, Security)\nInstitute was established in 1989 as a cooperative research and education organization.\n\n\n\nPage 18                                 Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0cWireless Networks Have Not Been Certi\xef\xac\x81ed and Accredited\n\n                DHS\xe2\x80\x99 wireless networks and messaging systems are currently operating without\n                C&A. When wireless networks and messaging systems operate without a full\n                C&A, DHS has little assurance that these networks and systems meet a speci\xef\xac\x81ed\n                set of security requirements.\n\n                The primary purpose of C&A is to ensure that adequate security is provided for\n                information collected, processed, transmitted, stored, or disseminated by the\n                systems. Speci\xef\xac\x81cally, we determined that:\n\n                     \xe2\x80\xa2    CIS, EP&R, USCG, and TSA were using 802.11x wireless networks\n                          without a C&A to operate.\n\n                     \xe2\x80\xa2    CBP and DHS Management were using wireless messaging systems\n                          without a C&A to operate.\n\n                     \xe2\x80\xa2    ICE, EP&R, and USCG were using wireless messaging systems under an\n                          Interim Authority to Operate.\n\n                Without a C&A and Interim Authority to Operate, it is unknown whether systems\n                have met the stringent security requirements established by applicable federal and\n                DHS guidance.\n\n                The security certi\xef\xac\x81cation package presents the results of the security certi\xef\xac\x81cation\n                and provides the authorizing of\xef\xac\x81cial with the essential information needed to\n                make a credible risk based decision on whether to authorize operation of the\n                information system. The security certi\xef\xac\x81cation package contains the following\n                documents: (i) the updated security plan; (ii) the security test and evaluation\n                report; and (iii) the plan of action and milestones.\n\n                The purpose of the security plan is to provide an overview of the security\n                requirements of the system and describe the controls in place or planned for\n                meeting those requirements. We identi\xef\xac\x81ed control weaknesses that may not have\n                occurred had an updated security plan been in place:\n\n                    \xe2\x80\xa2    EP&R and DHS Management could not account for all of their wireless\n                         messaging devices. Of\xef\xac\x81cials said that the devices were lost or stolen.\n\n\n\n\n         Inadequate Security Controls Increase Risks to DHS Wireless Networks                Page 19\n\x0c             \xe2\x80\xa2   None of the components included wireless vulnerabilities as part of\n                 their security awareness training. Consequently, wireless administrators\n                 and users have limited knowledge on the use and protection of wireless\n                 devices.\n             \xe2\x80\xa2   DHS management of\xef\xac\x81cials maintained two separate wireless messaging\n                 inventory lists. One list contained 170 devices while the other identi\xef\xac\x81ed\n                 534 devices. The security manager was unable to explain this discrepancy.\n          As previously reported in the Federal Emergency Management Agency,\n          Government Information Security Reform Act Annual Report For Fiscal\n          Year 2002, EP&R still does not have a complete listing of all devices with\n          wireless connectivity capabilities. This is a concern because there are many\n          documented information security weaknesses related to wireless connectivity.\n          The de\xef\xac\x81ciencies in security controls, noted above, demonstrate problems with\n          physical security and shortcomings in the security program.\n\n          Of\xef\xac\x81ce of Management and Budget (OMB) Circular A-130 and DHS MD 4300A\n          require formal certi\xef\xac\x81cation and of\xef\xac\x81cial management authorization to operate all\n          systems. In addition, all systems shall be re-certi\xef\xac\x81ed every three years or when a\n          signi\xef\xac\x81cant change that affects the system\xe2\x80\x99s security posture is implemented.\n\n          FISMA requires federal agencies to provide mandatory periodic training in\n          computer security awareness and accepted computer security practices for all\n          employees who are involved with the management, use, or operation of a federal\n          computer system within or under the supervision of the federal agency. OMB\n          Circular A-130, Appendix III, issued in 1996, enforces such mandatory training\n          by requiring its completion prior to granting access to the system and through\n          periodic refresher training for continued access.\n\n          Having wireless networks and messaging systems operating without a full C&A,\n          DHS has no assurance that these networks and systems meet a speci\xef\xac\x81ed set of\n          security requirements. The use of wireless technology introduces new security\n          risks to wired networks and the risk for security controls to be circumvented\n          is high on a network or system that is operating without the required C&A.\n          Operating a wireless network and messaging system without C&A could be\n          equivalent of offering intruders easy access to a system\xe2\x80\x99s sensitive data.\n\n\n\n\nPage 20           Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0cRecommendations\n                To enhance the DHS guidance for wireless implementation, we recommend that\n                the CIO:\n\n                     1.   De\xef\xac\x81ne the conditions and limitations for using wireless technologies,\n                          including Bluetooth, in the DHS security policy.\n\n                     2.   Update the DHS IT Security Program Handbook to include\n                          implementation procedures required by NIST SP 800-48 for the use\n                          of wireless technologies. In addition, the Chief Information Security\n                          Of\xef\xac\x81cer should identify what DHS\xe2\x80\x99 minimally acceptable system\n                          con\xef\xac\x81guration requirements will be and document these requirements in\n                          the handbook.\n\n                     3.   Require the National Wireless Management Of\xef\xac\x81ce to provide the\n                          necessary oversight and guidance to align components\xe2\x80\x99 wireless\n                          programs with DHS\xe2\x80\x99 wireless goals.\n\n                To protect its wireless networks and messaging systems effectively, we\n                recommend that the CIO:\n\n                     4. Implement a standardized con\xef\xac\x81guration addressing wireless technologies\n                        on DHS networks, consistent with federal security requirements. In\n                        addition, the Chief Information Security Of\xef\xac\x81cer should require site\n                        surveys and wireless scans to verify that DHS\xe2\x80\x99 wireless signals are\n                        broadcast only to authorized users and areas.\n\n                To address the formal information systems review process and authorization to\n                operate, we recommend that the CIO:\n\n                     5.   Complete a C&A for each DHS system according to federal and DHS\n                          directives. The Chief Information Security Of\xef\xac\x81cer should make certain\n                          that the security certi\xef\xac\x81cation packages contain the essential information\n                          needed to make a credible risk-based decision on whether to authorize\n                          operation of the information system.\n\n\n\n\n         Inadequate Security Controls Increase Risks to DHS Wireless Networks                Page 21\n\x0cManagement Comments and OIG Evaluation\n             We obtained written comments (Appendix B) on a draft of this report from DHS.\n             DHS agreed with each of our recommendations. Below is a summary of DHS\xe2\x80\x99\n             response to each recommendation and our assessment of the response.\n\n             Recommendation 1: De\xef\xac\x81ne the conditions and limitations for using wireless\n             technologies, including Bluetooth, in the DHS security policy.\n\n             DHS agreed to de\xef\xac\x81ne the conditions and limitations for using wireless\n             technologies in the DHS security policy. The DHS WMO is currently working\n             with the Chief Information Security Of\xef\xac\x81cer to revise MD 4300 along with\n             the associated policy statements, handbooks, and attachments. DHS plans to\n             complete this action by September 30, 2004.\n\n             We accept DHS\xe2\x80\x99 response to revise the MD 4300 to include existing and emerging\n             wireless technology requirements.\n\n             Recommendation 2: Update the DHS IT Security Program Handbook to\n             include implementation procedures required by NIST SP 800-48 for the\n             use of wireless technologies. In addition, the Chief Information Security\n             Of\xef\xac\x81cer should identify what DHS\xe2\x80\x99 minimally acceptable system con\xef\xac\x81guration\n             requirements will be and document these requirements in the handbook.\n\n             DHS agreed and recognized the importance of wireless risk mitigation strategies,\n             as described in NIST Special Publication 800-48. In addition, the DHS WMO\n             formed two functional working groups to address issues related to wireless\n             commercial services. In collaboration with the DHS Chief Information\n             Security Of\xef\xac\x81cer, these two working groups bring together the stakeholders that\n             will identify, evaluate, and prepare recommendations regarding new wireless\n             technologies and associated con\xef\xac\x81gurations. The resulting guidelines will be\n             implemented and enforced through clearly delegated authority structures presently\n             established within each organization. DHS plans to complete this action by\n             September 30, 2004.\n\n             We agree that the formal steps DHS has taken, and plans to take, satis\xef\xac\x81es the\n             intent of the recommendation.\n\n\n\n\nPage 22              Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c       Recommendation 3: Require the National Wireless Management Of\xef\xac\x81ce to\n       provide the necessary oversight and guidance to align components\xe2\x80\x99 wireless\n       programs with DHS\xe2\x80\x99 wireless goals.\n\n       DHS agreed with the intent of this recommendation. DHS maintains that the\n       WMO is exercising the appropriate oversight, and is communicating the policies\n       and guidance to the components through its Wireless Working Group. The DHS\n       WMO has formed two working groups that will provide comprehensive oversight\n       and guidance in the area of wireless risk management. Key stakeholders\n       within each organizational component will provide representation and subject\n       matter expertise across three functional areas \xe2\x80\x93 (1) policy, planning, and risk\n       management; (2) wireless security in major IT programs; and (3) risk assessment\n       of emerging technologies. These functional areas will report to the parent\n       Wireless Working Group that, in turn, provides recommendations to the DHS\n       WMO. These recommendations will be incorporated, as appropriate, into policy\n       statements and guidelines in MD 4300 and associated handbooks. DHS plans to\n       complete this action by September 30, 2004.\n\n       We accept DHS\xe2\x80\x99 proposed actions to provide necessary oversight and guidance\n       to align components\xe2\x80\x99 wireless programs with DHS\xe2\x80\x99 wireless goals. However,\n       during the time of our review and as stated in our report, the WMO was focused\n       solely on land mobile radio systems and was not providing oversight of wireless\n       implementation within DHS. The OIG maintains that DHS, through its WMO,\n       must oversee and manage all DHS wireless functionality.\n\n       Recommendation 4: Implement a standardized con\xef\xac\x81guration addressing\n       wireless technologies on DHS networks, consistent with federal security\n       requirements. In addition, the Chief Information Security Of\xef\xac\x81cer should\n       require site surveys and wireless scans to verify that DHS\xe2\x80\x99 wireless signals\n       are broadcast only to authorized users and areas.\n\n       DHS agreed to evaluate its con\xef\xac\x81guration guidelines to ensure compliance with\n       applicable federal security requirements. Wireless site surveys and scans will\n       be conducted on a periodic basis as required by the DHS IT security policy MD\n       4300. DHS security authorities such as Information System Security Managers,\n       ISSOs, and Network Administrators will develop and enforce DHS policy through\n       routine wireless security vulnerability assessments. DHS plans to complete this\n       action by September 30, 2004.\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks             Page 23\n\x0c          We accept DHS\xe2\x80\x99 response to establish and evaluate new con\xef\xac\x81guration guidelines\n          to ensure compliance with applicable federal standards and to perform wireless\n          site surveys and scans periodically. Once complete, these actions will address the\n          recommendation.\n\n          Recommendation 5: Complete a C&A for each DHS system according to\n          federal and DHS directives. The Chief Information Security Of\xef\xac\x81cer should\n          make certain that the security certi\xef\xac\x81cation packages contain the essential\n          information needed to make a credible risk-based decision on whether to\n          authorize operation of the information system.\n\n          DHS agreed to implement and maintain a rigorous C&A process for all wireless\n          systems, personal electronic devices, and tactical wireless communication\n          systems. Speci\xef\xac\x81cally, the Wireless Security Working Group will coordinate\n          with the DHS WMO and the DHS Chief Information Security Of\xef\xac\x81cer to ensure\n          consistency in the development and application of risk management approaches\n          and C&A processes for wireless services and technologies. This collaboration\n          ensures that the DHS WMO is effectively managing the Department\xe2\x80\x99s wireless\n          security risks. Additionally, the Designated Accrediting Authority within each\n          organizational component will be responsible for approving the implementation\n          and use of wireless systems at a speci\xef\xac\x81ed risk level during the C&A process.\n          DHS plans to complete this action by September 30, 2006, contingent upon the\n          availability of funding.\n\n          Once complete, these actions will address the recommendation. However, we\n          suggest that DHS strive to complete all system certi\xef\xac\x81cations and accreditations\n          sooner than the proposed target date.\n\n\n\n\nPage 24           Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                                                     Appendix A\n                                                                                     Purpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n                              The overall objective of this audit was to determine whether DHS developed\n                              adequate security policies, established oversight procedures, and implemented\n                              suf\xef\xac\x81cient security measures to ensure the networking of wireless devices are\n                              secure. Speci\xef\xac\x81cally, we determined whether: (1) DHS developed an adequate\n                              security policy guide and procedures for wireless networking and devices;\n                              (2) security controls have been effectively implemented and con\xef\xac\x81gured on DHS\xe2\x80\x99\n                              wireless devices and networks to protect against commonly known security\n                              vulnerabilities; and, (3) adequate physical controls are implemented to protect\n                              portable wireless devices, including sensitive data stored on wireless handheld\n                              devices and laptops.\n\n                              The wireless technologies selected for audit were the 802.11x, IrDA, and\n                              Bluetooth. The associated devices using these technologies are the Blackberry\xc2\xae,\n                              wireless handheld devices (such as PDAs with wireless capability, wireless mice,\n                              and keyboards), and access points (such as routers/hubs). We reviewed these\n                              devices because of their increasing popularity, mobility, and the well-known\n                              vulnerabilities associated with them.\n\n                              To accomplish our audit, we conducted \xef\xac\x81eldwork at the following locations:\n\n                                    \xe2\x80\xa2    Border and Transportation Security (BTS)20\n                                               Bureau of Immigration and Customs Enforcement (ICE)\n                                               Bureau of Customs and Border Protection (CBP)\n                                               Transportation Security Administration (TSA)\n                                    \xe2\x80\xa2    Bureau of Citizenship and Immigration Services (CIS)\n                                    \xe2\x80\xa2    DHS Management\n                                    \xe2\x80\xa2    Emergency Preparedness and Response (EP&R)\n                                    \xe2\x80\xa2    United States Coast Guard (USCG)\n                                    \xe2\x80\xa2    United States Secret Service (USSS)\n\n                              During the audit, we used two handheld wireless network scanners to look\n                              for authorized, unauthorized, and rogue access points; and access point signal\n                              strength on DHS networks:\n\n\n\n\n20\n     Three DHS components were selected from the BTS directorate.\n\n\n                       Inadequate Security Controls Increase Risks to DHS Wireless Networks                   Page 25\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\n                                  \xe2\x80\xa2     The Fluke Networks \xe2\x80\x9cWaveRunner\xe2\x84\xa2\xe2\x80\x9d is a wireless network analyzer\n                                        that scans for the presence of 802.11b wireless signals.21 We conducted\n                                        non-invasive scans on DHS networks to test compliance with NIST\n                                        Wireless Network Standards and industry best practices. The\n                                        WaveRunner\xe2\x84\xa2 also veri\xef\xac\x81ed WEP implementation, correct access point\n                                        con\xef\xac\x81guration, and Client to access point connections.\n\n                                  \xe2\x80\xa2     The Berkeley Varitronics Systems Mantis\xe2\x84\xa2 Bluetooth Transceiver is a\n                                        real-time wireless device designed for locating and verifying Bluetooth\n                                        wireless devices and connections. The scan is non-invasive, non-\n                                        attacking, and provides information to a tester to determine device\n                                        identi\xef\xac\x81cation and capability, signal strength, and approximate location.\n\n                             We did not examine wireless devices and networks used in classi\xef\xac\x81ed\n                             environments or wireless connectivity through cellular modems and mobile\n                             radios during this review. We conducted our audit between October 2003 and\n                             January 2004 according to generally accepted government auditing standards.\n                             Major contributors to this report are listed in Appendix F.\n\n\n\n\n21\n  The WaveRunner\xe2\x84\xa2 does not have the functionality to scan for 802.11a or g protocols. Currently, 802.11a or g protocols do not share\nthe same market usage as 802.11b. According to \xe2\x80\x9cIn-Stat MDR\xe2\x80\x9d, a high-tech market research \xef\xac\x81rm, 802.11b is the predominant wireless\nprotocol.\n\n\nPage 26                                 Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                                       Appendix B\n                                                                       Management\xe2\x80\x99s Comments\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks                   Page 27\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 28                 Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                                       Appendix B\n                                                                       Management\xe2\x80\x99s Comments\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks                   Page 29\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 30                 Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                                       Appendix B\n                                                                       Management\xe2\x80\x99s Comments\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks                   Page 31\n\x0cAppendix B\nManagement\xe2\x80\x99s Comments\n\n\n\n\nPage 32                 Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                           Appendix C\n                                                           Wireless Technology Standards and Functionality\n\n\n\nWireless\n                Purpose            Frequency          Range            Speed           Device       Compatibility\nStandard\n                                                  25 to 75 feet\n                                                                                     Laptop\n                                                  indoor; range                                     Not compatible\n            Wireless network                                           Up to         computers,\n802.11a     access\n                                     5GHz         can be affected\n                                                                      54Mbps         PDAs, cell\n                                                                                                    with 802.11b,\n                                                  by building                                       802.11g\n                                                                                     phones\n                                                  materials\n\n\n                                                  Up to 150 feet                                    Other 2.4GHz\n                                                                                     Laptop\n                                                  indoors; range                                    devices, like\n            Wireless network                                          Up to 11       computers,\n802.11b     access\n                                    2.4GHz        can be affected\n                                                                       Mbps          PDAs, cell\n                                                                                                    cordless phones,\n                                                  by building                                       may disrupt\n                                                                                     phones\n                                                  materials                                         connection\n\n\n                                                  Up to 150 feet                                    Other 2.4GHz\n                                                  indoors; range                                    devices, like\n            Wireless network                                           Up to         Laptop\n802.11g     access\n                                    2.4GHz        can be affected\n                                                                      54Mbps         computers\n                                                                                                    cordless phones,\n                                                  by building                                       may disrupt\n                                                  materials                                         connection\n\n\n            Wireless network\n            access security.\n            Supplementary                         Up to 150 feet\n                                                                                     Laptop\n            to MAC layer.                         indoors; range                                    802.11a, 802.11b\n                                    2.4 \xe2\x80\x93 5.0                          Up to         computers,\n802.11i     Provides alternative\n                                      GHz\n                                                  can be affected\n                                                                      54Mbps         PDAs, cell\n                                                                                                    and 802.11g\n            to WEP with new                       by building                                       devices\n                                                                                     phones\n            encryption methods                    materials\n            and authentication\n            procedures\n\n\n                                                                                     Printers,\n            Wirelessly                            Up to 33 feet (10                                 Other 2.4GHz\n                                                                                     cameras,\n            connect computer                      meters); range                                    devices, like\nBluetooth                                                                            cell phones,\n            peripherals, such       2.4GHz        can be affected     720Kbps                       cordless phones,\n802.15                                                                               headphones,\n            as printers, PDAs,                    by building                                       may disrupt\n                                                                                     PDAs, other\n            cameras                               materials                                         connection\n                                                                                     peripherals\n\n\n\n\n              Inadequate Security Controls Increase Risks to DHS Wireless Networks                            Page 33\n\x0cAppendix D\nDHS Wireless Capabilities\n\n\n\n                                                          Wireless Technology                                 Draft\n               Components                                                                 Wireless\n                                                                                                             Security\n                                           802.11a     802.11b    802.11g    Bluetooth                        Policy\n                                                                                          Messaging\n\n          DHS Management                                                          X           \xe2\x99\xa6                 \xe2\x99\xa6\n\n          Bureau of Customs and\n          Border Protection (CBP)                                                             \xe2\x99\xa6\n\n          Bureau of Immigration &\n          Customs Enforcement (ICE)                                                           \xe2\x99\xa6\n\n          Citizenship & Immigration\n          Services (CIS)                                  \xe2\x99\xa6                       X\n\n\n          Emergency Preparedness &\n          Response (EP&R)/FEMA               \xe2\x99\xa6            \xe2\x99\xa6          \xe2\x99\xa6                        \xe2\x99\xa6                 \xe2\x99\xa6\n\n          Transportation Security\n          Administration (TSA)               \xe2\x99\xa6                                                                  \xe2\x99\xa6\n          United States Coast Guard\n          (USCG)                                          \xe2\x99\xa6                                   \xe2\x99\xa6                 \xe2\x99\xa6\n          United States Secret Service\n          (USSS)\n                                                                                  X\n                                                  \xe2\x99\xa6 \xe2\x80\x93 Disclosed in initial data call.\n                                                 X \xe2\x80\x93 Identi\xef\xac\x81ed during onsite testing.\n\n\n\n\nPage 34                               Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c                                                                       Appendix E\n                                                                       Report Distribution\n\n\n\n       Department of Homeland Security\n\n       Secretary\n       Deputy Secretary\n       General Counsel\n       Chief of Staff\n       DHS OIG Liaison\n       DHS Public Affairs\n\n       Of\xef\xac\x81ce of Management and Budget\n\n       Homeland Bureau Chief\n       DHS OIG Budget Examiner\n\n       Congress\n\n       Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nInadequate Security Controls Increase Risks to DHS Wireless Networks               Page 35\n\x0cAppendix F\nMajor Contributors to This Report\n\n\n\n                     Information Security Audits Division\n\n                     Edward G. Coleman, Director\n                     Patrick Nadon, IT Audit Manager\n                     Chiu-Tong Tsang, Audit Team Leader\n                     Werner Roberts, Auditor\n                     Lane Melton, Technical Specialist\n                     Ernest Bender, Referencer\n\n\n\n\nPage 36                       Inadequate Security Controls Increase Risks to DHS Wireless Networks\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG)\nat (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at\nwww.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland Security, Washington, DC\n20528, Attn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG\nseeks to protect the identity of each writer and caller.\n\x0c'